1 |
type: security |
2 |
subject: Updated ghostscript packages fix security vulnerabilities |
3 |
CVE: |
4 |
- CVE-2018-15908 |
5 |
- CVE-2018-15909 |
6 |
- CVE-2018-15910 |
7 |
- CVE-2018-15911 |
8 |
- CVE-2018-16509 |
9 |
- CVE-2018-16510 |
10 |
- CVE-2018-16511 |
11 |
- CVE-2018-16513 |
12 |
- CVE-2018-16539 |
13 |
- CVE-2018-16540 |
14 |
- CVE-2018-16541 |
15 |
- CVE-2018-16542 |
16 |
- CVE-2018-16543 |
17 |
- CVE-2018-16802 |
18 |
src: |
19 |
6: |
20 |
core: |
21 |
- ghostscript-9.24-1.5.mga6 |
22 |
description: | |
23 |
Updated ghostscript packages fix several security vulnerabilities |
24 |
including: |
25 |
|
26 |
In Artifex Ghostscript 9.23 before 2018-08-23, attackers are able to supply |
27 |
malicious PostScript files to bypass .tempfile restrictions and write files |
28 |
(CVE-2018-15908). |
29 |
|
30 |
In Artifex Ghostscript 9.23 before 2018-08-24, a type confusion using the |
31 |
.shfill operator could be used by attackers able to supply crafted PostScript |
32 |
files to crash the interpreter or potentially execute code (CVE-2018-15909). |
33 |
|
34 |
In Artifex Ghostscript before 9.24, attackers able to supply crafted |
35 |
PostScript files could use a type confusion in the LockDistillerParams |
36 |
parameter to crash the interpreter or execute code (CVE-2018-15910). |
37 |
|
38 |
In Artifex Ghostscript 9.23 before 2018-08-24, attackers able to supply |
39 |
crafted PostScript could use uninitialized memory access in the aesdecode |
40 |
operator to crash the interpreter or potentially execute code |
41 |
(CVE-2018-15911). |
42 |
|
43 |
An issue was discovered in Artifex Ghostscript before 9.24. Incorrect |
44 |
"restoration of privilege" checking during handling of /invalidaccess |
45 |
exceptions could be used by attackers able to supply crafted PostScript |
46 |
to execute code using the "pipe" instruction (CVE-2018-16509). |
47 |
|
48 |
An issue was discovered in Artifex Ghostscript before 9.24. Incorrect exec |
49 |
stack handling in the "CS" and "SC" PDF primitives could be used by remote |
50 |
attackers able to supply crafted PDFs to crash the interpreter or possibly |
51 |
have unspecified other impact (CVE-2018-16510). |
52 |
|
53 |
An issue was discovered in Artifex Ghostscript before 9.24. A type |
54 |
confusion in "ztype" could be used by remote attackers able to supply |
55 |
crafted PostScript to crash the interpreter or possibly have unspecified |
56 |
other impact (CVE-2018-16511). |
57 |
|
58 |
In Artifex Ghostscript before 9.24, attackers able to supply crafted |
59 |
PostScript files could use a type confusion in the setcolor function to |
60 |
crash the interpreter or possibly have unspecified other impact |
61 |
(CVE-2018-16513). |
62 |
|
63 |
In Artifex Ghostscript before 9.24, attackers able to supply crafted |
64 |
PostScript files could use incorrect access checking in temp file handling |
65 |
to disclose contents of files on the system otherwise not readable |
66 |
(CVE-2018-16539). |
67 |
|
68 |
In Artifex Ghostscript before 9.24, attackers able to supply crafted |
69 |
PostScript files to the builtin PDF14 converter could use a use-after-free |
70 |
in copydevice handling to crash the interpreter or possibly have unspecified |
71 |
other impact (CVE-2018-16540). |
72 |
|
73 |
In Artifex Ghostscript before 9.24, attackers able to supply crafted |
74 |
PostScript files could use incorrect free logic in pagedevice replacement |
75 |
to crash the interpreter (CVE-2018-16541). |
76 |
|
77 |
In Artifex Ghostscript before 9.24, attackers able to supply crafted |
78 |
PostScript files could use insufficient interpreter stack-size checking |
79 |
during error handling to crash the interpreter (CVE-2018-16542). |
80 |
|
81 |
In Artifex Ghostscript before 9.24, gssetresolution and gsgetresolution |
82 |
allow attackers to have an unspecified impact (CVE-2018-16543). |
83 |
|
84 |
An issue was discovered in Artifex Ghostscript before 9.25. Incorrect |
85 |
"restoration of privilege" checking when running out of stack during |
86 |
exception handling could be used by attackers able to supply crafted |
87 |
PostScript to execute code using the "pipe" instruction. This is due to |
88 |
an incomplete fix for CVE-2018-16509 (CVE-2018-16802). |
89 |
|
90 |
GS Bug 699663 : .setdistillerkeys memory corruption. (CVE Requested) |
91 |
|
92 |
GS Bug 699699 : Crash upon bogus input argument |
93 |
|
94 |
GS Bug 699719: Fix @ files in arg handling |
95 |
|
96 |
GS Bug 699711: Review arg_next to ensure that NULL arg returns are coped with |
97 |
|
98 |
GS Bug Fix SEGV seen in all-devices test with plank examples/ridt91.eps |
99 |
|
100 |
GS Bug 699708 (part 1): 'Hide' non-replaceable error handlers for SAFER |
101 |
|
102 |
GS Bug 699707: Security review bug - continuation procedures |
103 |
references: |
104 |
- https://bugs.mageia.org/show_bug.cgi?id=23526 |
105 |
- https://www.ghostscript.com/doc/9.24/History9.htm#Version9.24 |
106 |
- http://openwall.com/lists/oss-security/2018/09/05/3 |
107 |
- http://openwall.com/lists/oss-security/2018/09/06/3 |
108 |
- http://openwall.com/lists/oss-security/2018/09/09/1 |
109 |
- http://openwall.com/lists/oss-security/2018/09/09/2 |
110 |
- http://openwall.com/lists/oss-security/2018/09/11/1 |
111 |
ID: MGASA-2018-0378 |